Overview

overview

10

Static

static

3

37473debc7...dN.exe

windows7-x64

10

37473debc7...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37473debc76aa4bcf7756fc84ac0cd3d7dedc32ab9e5e4729bf7399e8e0b143dN.exe

  • Size

    442KB

  • MD5

    b6e4d10a8f240a1c02753efb9fada750

  • SHA1

    7c05f992c9312529090a76ac5c41d38d0be4825f

  • SHA256

    37473debc76aa4bcf7756fc84ac0cd3d7dedc32ab9e5e4729bf7399e8e0b143d

  • SHA512

    660d46fa801982d4d4a132e95a54309e569a053364ed2e2a0ff637f0da2005fde39d6523a23c783bf3110c3f52ee15283041ce0ff2b2d63c8e5c725024856572

  • SSDEEP

    3072:aE2ukbpihVpNawG5lkqrifbdB7dYk1Bx8DpsV68RfPi4meqByN2DmtXGTtiOd/VZ:aEb9iBlkym/89bifPidzIEZ/VZ

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 45 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 48 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37473debc76aa4bcf7756fc84ac0cd3d7dedc32ab9e5e4729bf7399e8e0b143dN.exe
    "C:\Users\Admin\AppData\Local\Temp\37473debc76aa4bcf7756fc84ac0cd3d7dedc32ab9e5e4729bf7399e8e0b143dN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\SysWOW64\Bmbplc32.exe
      C:\Windows\system32\Bmbplc32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\SysWOW64\Bnbmefbg.exe
        C:\Windows\system32\Bnbmefbg.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\Bapiabak.exe
          C:\Windows\system32\Bapiabak.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1160
          • C:\Windows\SysWOW64\Cdabcm32.exe
            C:\Windows\system32\Cdabcm32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2376
            • C:\Windows\SysWOW64\Cmiflbel.exe
              C:\Windows\system32\Cmiflbel.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2204
              • C:\Windows\SysWOW64\Cnicfe32.exe
                C:\Windows\system32\Cnicfe32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:212
                • C:\Windows\SysWOW64\Cmnpgb32.exe
                  C:\Windows\system32\Cmnpgb32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:5056
                  • C:\Windows\SysWOW64\Cdhhdlid.exe
                    C:\Windows\system32\Cdhhdlid.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1776
                    • C:\Windows\SysWOW64\Dhfajjoj.exe
                      C:\Windows\system32\Dhfajjoj.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4688
                      • C:\Windows\SysWOW64\Dmcibama.exe
                        C:\Windows\system32\Dmcibama.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4648
                        • C:\Windows\SysWOW64\Dfknkg32.exe
                          C:\Windows\system32\Dfknkg32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3860
                          • C:\Windows\SysWOW64\Ddonekbl.exe
                            C:\Windows\system32\Ddonekbl.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:5032
                            • C:\Windows\SysWOW64\Dfpgffpm.exe
                              C:\Windows\system32\Dfpgffpm.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2252
                              • C:\Windows\SysWOW64\Dddhpjof.exe
                                C:\Windows\system32\Dddhpjof.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2908
                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                  C:\Windows\system32\Dmllipeg.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4108
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 408
                                    17⤵
                                    • Program crash
                                    PID:8
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
    1⤵
      PID:1008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Bapiabak.exe
      Filesize

      442KB

      MD5

      02fdc877cbb86dbaf4e7bfca8523ba7c

      SHA1

      c1f6a766109325b846b95efe249598aadc7eb4ae

      SHA256

      fa080587a6983719c251773dfbc31427b8ed9e87940108d2a22eda7d33c8a083

      SHA512

      f79d6379da6cb306c0765e32055238a063b0a384cbc60c67d2e524327223b34849e6a8e61b74f46281df645b5b4497bcfc141b9e42dcad8e3f4c0e977d3ff1a2

      Download Submit

    • C:\Windows\SysWOW64\Bbloam32.dll
      Filesize

      7KB

      MD5

      9f6fd0d46979ecca5bf4791134d3ae92

      SHA1

      4f5b0bfcc280d8a6bbcdd7e337e57072f1c27134

      SHA256

      744ae26d57bcb880111586150dcde2cb3d1501927ab7c68c40403234a594b899

      SHA512

      4f2435b60042cc88496a4743d7ddbf5d87fe469bb8a442161f446e21bc14688468ac4618c5205884f721f0f8e1091bad80335bec787d40457078bb920b128643

      Download Submit

    • C:\Windows\SysWOW64\Bmbplc32.exe
      Filesize

      442KB

      MD5

      73094d6a2d2807acfaa852877de6c28f

      SHA1

      4676331979daaca44ad783937a987891194312a9

      SHA256

      9f9fce98133a1e31d13641315c263c87d66829bdfda34cee66150af3df71d5ef

      SHA512

      da3acd852b68eca89ed19a13860f1e560c478c834679a397b370f28803b307351fd6cadce2eeb7e082b4f3a44ab1e869a7cda0180353d70135daa6361dc68452

      Download Submit

    • C:\Windows\SysWOW64\Bnbmefbg.exe
      Filesize

      442KB

      MD5

      1ae285a063d11ecfd70401d195fd8509

      SHA1

      e4e142495090077fe1977c8812e44d24d2af21ec

      SHA256

      7e7672d46ea21792002b69e291833327e1b91418aab9992c543f71b5416b86df

      SHA512

      478c5385bfba87b9680ba49aff4ef48620ff4264e4ed9ec5b86f0f1841363baacfab530f351fe756411419b479894e6c7dac491c0d55d2795ed226096838bb9a

      Download Submit

    • C:\Windows\SysWOW64\Cdabcm32.exe
      Filesize

      442KB

      MD5

      d6222441cba7a08750f3df4bd181efc3

      SHA1

      bfcb84aa03c61de45e2370b1cf80364dd3806f80

      SHA256

      e9807edba2c76f8602c5d7443205f229c8ad2d53b0b61f10da1cefbca0fc2157

      SHA512

      69ed2d55be9ad853fbf47b2e35111a0977f79807bf0346e416949e55b6f5a2183f586cd9d9930b61714755452eb7499c75dc23dffd044818e1e3b3354eb1849b

      Download Submit

    • C:\Windows\SysWOW64\Cdhhdlid.exe
      Filesize

      442KB

      MD5

      5989e8f0e7344c7db04b3efc6d788909

      SHA1

      f06d959f80d90df9da87c583ccb3cc44f0190db8

      SHA256

      a0568e7b6cf8cd79474c800a1c2a17cbf1b23bf9a877a98107a2c199348c5e2b

      SHA512

      0c874822c2d837c8379b297c317616531e709f41bff7b35f45bbd0e48aa77094cb416355233362d4b3f46d96c2c630ef9362b232038afc02dd3bfcec9d979f6d

      Download Submit

    • C:\Windows\SysWOW64\Cmiflbel.exe
      Filesize

      442KB

      MD5

      bcf9dbe0e96072716d12cbaadf07323e

      SHA1

      ea954d4b75a4ec3a801cb3a0e893a5639e65681e

      SHA256

      3a4e5f6da8a76d0ea43bf8c08121d0862b961df6591cf509e8d0ed4a5dcf5934

      SHA512

      65c7ee850098443fe2b547c5b129c956318a8d01b61cdc068145de1d4f355fb890dd783b6828e46ca495817ae0943f2a15f7608d715e47273fdce84fc77826ed

      Download Submit

    • C:\Windows\SysWOW64\Cmnpgb32.exe
      Filesize

      442KB

      MD5

      631acfb6f0e1501c8af5a776529a3b1e

      SHA1

      8d91a22bba662384009a07ecf5546164b4e9cbcd

      SHA256

      f20ac8d08f82280e78985002a310fb7a52dde562f714b23e9283e29e3ffa54d7

      SHA512

      f5612a89c55b8ff06bde91fafb9d1f194f91b23c288ab844beb2beadc67d178f7d699814af0634bff83abb1155ea2f105f21bf36d67880f28f52468a857333ba

      Download Submit

    • C:\Windows\SysWOW64\Cnicfe32.exe
      Filesize

      442KB

      MD5

      06226809d80b43468d0465f3a1ffaecf

      SHA1

      c71caba76b446d292dc8e69349d59bdc14c21358

      SHA256

      7f893613a75ec3d179acd6158ffffcd937dcaf61859b8edd0ca034d10a66dfae

      SHA512

      d4997c9fd4d87644b9713b17d6a25dd5fe5bd0c10d89e1d5087098db3ec968f7cf0ca1cce8ed3de111c3ca1458068c115a00eca1e599c47d09c65335191efcf6

      Download Submit

    • C:\Windows\SysWOW64\Dddhpjof.exe
      Filesize

      442KB

      MD5

      233adfeb82360625b3ad9e5f15648e7b

      SHA1

      0e304669fef0f7e087809a6a63dd1cdfa0fa7b1b

      SHA256

      8e008d15d2d5c145f66b48836213bf7a70cf87981b6930a8a656679f894d44f5

      SHA512

      2e1b7b29e6e1b89c193586c004884daeddd5ea4bf927a9ef2bcc4aa1f2d178a322f48439156ec33bf0384d200aa582da51b0689a9b314433d9d6796960bd8d5f

      Download Submit

    • C:\Windows\SysWOW64\Ddonekbl.exe
      Filesize

      442KB

      MD5

      936c360be85870042ee9454d2a58a857

      SHA1

      a1d42039aa0c6f0460eb36751eb3be52dbc9ebcf

      SHA256

      59bf47a965e4f6faaf36f81f0ae17ad1aeb9816aa9e7c72851c5b39a745fae4b

      SHA512

      973c0665b96290575924118a105c29e5381f2474e719c7f33b460f750450d541faec82ad46cf7f9931fec97d912b14e17692a3c57dce4e63789d40e099fe5c1f

      Download Submit

    • C:\Windows\SysWOW64\Dfknkg32.exe
      Filesize

      442KB

      MD5

      5496a4fb74f09126428571117d27ffa6

      SHA1

      27e6746e6eed8c1b27f1d6f3e53121e4663765f9

      SHA256

      fafc075ab66791ea931f6b167b0c0e17776256dadf08e79649d8ae1dcf7c88e5

      SHA512

      7cdae1e0848a74a33c340ef5e6f6684bd16c3fa2072203eb766da58b4cc6f92343ca694637a0c199a5ff62e663f182b24caa3e473eb28faf9230ad3f8a3c8279

      Download Submit

    • C:\Windows\SysWOW64\Dfpgffpm.exe
      Filesize

      442KB

      MD5

      9570c4a6c2fd3fb199a5e8e1b1e4ec3f

      SHA1

      a465451e9f9ba2c6572d72a548830cace18bf04c

      SHA256

      bf6d21f8f2c9d8ccfe7de94d1e3c97d83c039180ed71d3637e32de585f23d079

      SHA512

      24aec6e863e0425ccb87c550ba2cf891a878aabd121d1ed09080be818c7b4463cc55748db93c183ec43a85c8c14ab297bdf8e652ee62cec02a2b9bdb940cef8b

      Download Submit

    • C:\Windows\SysWOW64\Dfpgffpm.exe
      Filesize

      442KB

      MD5

      7059fd2e0bad608de5dea8cc157949e8

      SHA1

      e49f349d1f52abb356e24c8c352ce3aad44d47fe

      SHA256

      62f356721dada585a5cd906d806ddc4c334844e6f5bc41fccf75bdf54aa507b0

      SHA512

      8832a6889cba25ca587c9b1cc07e321ff256cc5b3a6eed3712f1ec5af147dab36e003828fff6d7f26ab1250f159c5a7f17d8fc877c91c9cfe99f7fd3fc2d03b0

      Download Submit

    • C:\Windows\SysWOW64\Dhfajjoj.exe
      Filesize

      442KB

      MD5

      82c1201c567bb167031531d529349a45

      SHA1

      96d4e1ca89af278fb4fb87b8c0818aa03b9836e1

      SHA256

      f156e7efb63654a0efa72b03d13bb2d5d1d26215dae2492379d95543fe7f05c0

      SHA512

      6aa02d5f8a574a7270ebdbf51a19bf8993e2f957c789c217232ac417158702c8a492f72da660984c3598cd1c1a87459d163a6f281970a72ad0c32ebde1bd86c1

      Download Submit

    • C:\Windows\SysWOW64\Dmcibama.exe
      Filesize

      442KB

      MD5

      d1b27f7e5b020161185f726b959fd94a

      SHA1

      5d1934ddd8d8af59b070cb2938e30bd3ceb4c32e

      SHA256

      c3b14f4278eb2e7da448656005d05cbd425d0efc7f2bf0940bf8b45f17d609ac

      SHA512

      18b02a253177edc8e04a3c9e17963cb151ed9638310a17eb98e1c12d738fd747273e07e5e1db7b743e1dd849c0aaf70cdcadb45fb238d390f24c504e0f4e9d18

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      442KB

      MD5

      9c9ba2384c7f4dee793460dded26091e

      SHA1

      4aece405d46393f5b2bbb46d34fc08db83ece9c6

      SHA256

      98a5583c6888637b0767807a321c1a80e3743d9177d9f560e4eb309b29cbf80e

      SHA512

      541fe677db77708374fe5366266c0fc076d2a11967515163ea980e63dadf6d515da68a8538307300775a3cbf1dd675dcaf12ac1f48bb646d8c0758e108cc6a52

      Download Submit

    • memory/212-139-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/212-47-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1160-145-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1160-24-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1776-135-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1776-64-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2204-141-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2204-40-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2252-103-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2252-127-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2376-143-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2376-31-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2832-20-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2908-124-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2908-112-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3552-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3552-150-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3692-7-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3692-148-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3860-129-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3860-88-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4108-123-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4108-119-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4648-131-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4648-80-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4688-72-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4688-133-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5032-95-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5032-128-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5056-56-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5056-137-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download